Using EMET to Disable Specific Applications

Using EMET to Disable Specific Applications

Q: Can I disable Windows Address Space Layout Randomization (ASLR) for just a specific application or can I only disable it for all applications running on the system?

A: You might need to disable the ASLR attack mitigation feature to resolve a compatibility problem with a legacy application. You can exempt a single application by using the Enhanced Mitigation Experience Toolkit (EMET), which is available in the Microsoft Download Center. Previously, Microsoft provided a registry key called MoveImages to disable ASLR system-wide, but this key doesn't work on Windows 7.

You can use EMET not only to enable or disable ASLR but also to manage other attack mitigation features, such as Data Execution Prevention (DEP). With EMET, you can opt in or opt out all applications that are running on a Windows system from these attack mitigation features at once (this is system-wide configuration), or you can opt in or opt out for specific applications or processes (application-specific configuration).

Related: Q. What's the Enhanced Mitigation Experience Toolkit (EMET)?

EMET comes with an easy-to-use GUI tool (EMET_GUI.exe) and a command line tool (EMET_Conf.exe), both of which you can find in the EMET installation directory at \Program Files\EMET.

When you start the EMET GUI tool, you can check the system-wide EMET configuration settings for DEP, ASLR, and Structured Exception Handler Overwrite Protection (SEHOP) at the top of the screen, as Figure 1shows.

The Enhanced Mitigation Experience Toolkit (EMET) GUI
Figure 1: The Enhanced Mitigation Experience Toolkit (EMET) GUI

To configure application-specific EMET settings -- for example, to exempt Google Chrome from ASLR -- you need to click the Configure Apps button at the bottom of the main EMET screen, which opens the Application Configuration screen that Figure 2shows. For this example, you would then locate the chrome.exe executable on your file system by using the Add button, clear the check box for MandatoryASLR, then click OK to confirm the change.

Disabling ASLR for an application from the EMET GUI
Figure 2: Disabling ASLR for an application from the EMET GUI

To do the same task from the command line using the EMET_Conf.exe tool, you must type the following:

emet_conf --set "c:\program files\google\chrome\application\
 chrome.exe" -MandatoryASLR

(Note the use of a double dash before set.)

The latest official EMET version, EMET 3.0, includes an interesting reporting feature called the EMET Notifier, which appears as a lock-like icon in the notification area of the Windows taskbar. EMET Notifier writes EMET-specific events to the Windows event log (the event source is called EMET) and also notifies the user of important EMET events by using tooltips that pop up in the taskbar notification area. For example, when an application crashes due to one of the EMET mitigation settings, a tooltip pops up that states which application is being stopped and what specific attack mitigation caused EMET to stop the application.

EMET 3.0 works on the following client OSs: Windows XP SP3 or later, Windows Vista SP1 or later, and Windows 7. On the Windows Server side, you can use EMET 3.0 on Windows Server 2003 SP1 and later, Windows Server 2008, and Windows Server 2008 R2. You can download EMET 3.0 from Microsoft's website.

In the middle of last year, Microsoft also released a Tech Preview version of EMET 3.5. This version supports several new attack mitigation techniques, such as mechanisms to protect against Return-Oriented Programming (ROP) attacks. The 3.5 release, however, is intended only to let developers evaluate the application compatibility risks of these new attack mitigation techniques. EMET 3.5 isn't ready for widespread enterprise adoption. You can download the EMET 3.5 Tech Preview from the Microsoft Download Center.

More information about EMET can be found in the EMET Users Guide, which is automatically copied to your system when you install EMET 3.0, and in the Microsoft Support article"The Enhanced Mitigation Experience Toolkit."

Learn More: Q: How can I check the effect of the Windows Address Space Layout Randomization (ASLR) feature on a Windows system?

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.